Home
Learn
Certify
Standards
Community
Summit
Research
Platforms
Enterprise
Sign InJoin IFO4
← Deployment Options

Reference Architecture

Four-tier architecture with defense-in-depth security, multi-region redundancy, and compliance-ready data boundaries.

Architecture

Four-tier platform architecture

Tier 1: Presentation Layer

Web Application
React-based SPA served via global CDN with edge caching
API Gateway
Rate limiting, authentication, request routing, and TLS termination
Load Balancer
Application-level load balancing with health checks and auto-scaling

Tier 2: Application Layer

Cost Analysis Engine
Real-time cost aggregation, normalization, and multi-cloud correlation
Optimization Engine
ML-powered recommendation engine for rightsizing, reservations, and waste elimination
Governance Engine
Policy evaluation, tagging enforcement, and compliance monitoring
Reporting Service
Report generation, scheduling, and delivery via email, Slack, and API
Event Processing
Real-time event stream processing for anomaly detection and alerting

Tier 3: Data Layer

Time-Series Database
High-performance storage for cost metrics with sub-second query latency
Relational Database
PostgreSQL-based storage for configuration, policies, and user data
Object Storage
S3-compatible storage for raw billing data, reports, and audit logs
Cache Layer
Redis-based caching for frequently accessed queries and session management
Search Index
Elasticsearch-based full-text search across resources, tags, and cost items

Tier 4: Integration Layer

Cloud Connectors
Native connectors for AWS, Azure, GCP, OCI, and private cloud billing APIs
Webhook Gateway
Outbound webhook delivery with retry logic, signing, and delivery confirmation
SCIM Endpoint
User provisioning endpoint for identity provider synchronization
Data Export Pipeline
Automated data export to Snowflake, BigQuery, Redshift, and S3
Encryption

Encryption at every boundary

LocationMethodStandard
Client to API GatewayTLS 1.3 with certificate pinningFIPS 140-2
API Gateway to ApplicationMutual TLS (mTLS)Zero-trust
Application to DatabaseTLS 1.3 with client certificatesIn-transit
Database at RestAES-256-GCMAt-rest
Object StorageSSE-KMS with customer-managed keysAt-rest
Inter-Service CommunicationmTLS via service meshZero-trust
Backup StorageAES-256 with separate key hierarchyAt-rest
Network Topology

Network security zones

Public Zone

CDN, WAF, and API Gateway. Only externally accessible components.

CDN, WAF, Load Balancer, API Gateway

Application Zone

Application services in private subnets. No direct internet access.

Compute instances, Kubernetes cluster, Service mesh

Data Zone

Databases and storage in isolated subnets. No internet access, only application zone connectivity.

Databases, Cache, Object Storage, Search

Management Zone

CI/CD, monitoring, and administration. Accessed via VPN/bastion only.

CI/CD, Monitoring, Logging, Bastion
Compliance Boundaries

Compliance boundary architecture

Our architecture supports multiple compliance boundaries within a single deployment, allowing you to maintain different security postures for different data classifications.

Data Classification Boundary

Separate processing pipelines for different data classification levels. Cost data from classified environments is processed in isolated compute with dedicated encryption keys.

  • Separate encryption key hierarchies
  • Isolated compute environments
  • Independent audit trails
  • Classification-based access policies

Regulatory Compliance Boundary

Regional boundaries that enforce data residency requirements. EU cost data stays in EU regions, HIPAA data in compliant environments, government data in authorized clouds.

  • Regional data isolation
  • Compliance-specific encryption
  • Regulatory audit logging
  • Cross-boundary data flow controls

Organizational Boundary

Logical isolation between business units, subsidiaries, and partner organizations. Each entity gets its own namespace, access policies, and cost allocation model.

  • Namespace isolation
  • Entity-level RBAC
  • Independent cost models
  • Cross-entity aggregation controls

Network Security Boundary

Defense-in-depth network architecture with WAF, DDoS protection, micro-segmentation, and zero-trust inter-service communication via mutual TLS.

  • WAF with OWASP rules
  • Layer 3/4 DDoS protection
  • Service mesh mTLS
  • Network policy enforcement
High Availability

Reliability and disaster recovery

Multi-AZ Deployment

All production services deployed across multiple Availability Zones with automatic failover. No single point of failure.

Cross-Region DR

Standby environment in secondary region with < 4 hour RTO and < 1 hour RPO. Automated failover for critical components.

Database Replication

Synchronous replication within regions, asynchronous across regions. Point-in-time recovery for up to 35 days.

Auto-Scaling

Horizontal auto-scaling for compute and ingestion services. Handles 10x traffic spikes without performance degradation.

Health Monitoring

Comprehensive health checks at infrastructure, application, and business logic levels. Self-healing for common failure modes.

Chaos Engineering

Regular chaos engineering exercises to validate resilience. Failure injection testing for all critical paths and dependencies.

Need a detailed architecture review?

Our solutions architects will conduct a detailed architecture review for your specific deployment requirements.

Schedule Architecture Review